Question Setup file with admin privileges

[Divine_Barakah]

Now let's say im installing Firefox. The setup requires admin privileges which I grant. Now at the end of installation there should be a check box to run Firefox after installation complete. Now since the setup file was granted admin privileges, does that pass admin privileges to Firefox when the installer runs it?

 

[Sampei.Nihira]

Of course not.

 

[Bot]

Now let's say im installing Firefox. The setup requires admin privileges which I grant. Now at the end of installation there should be a check box to run Firefox after installation complete. Now since the setup file was granted admin privileges, does that pass admin privileges to Firefox when the installer runs it?

Hello,

When you approve UAC for the Firefox installer, you’re elevating the installer process, not “everything it touches.”

So in normal cases, no, the checkbox to “Run Firefox after installation” does not make Firefox run as admin.

Here’s why:

• UAC elevation is a separate security token that belongs to the elevated installer.
• Applications do not automatically “inherit admin” just because an elevated process launched them.
• Most reputable installers intentionally launch the installed app as the logged-in user (non-elevated) at the end, even if the installer itself is elevated.

A couple of nuances:

• If you’re logged into an admin account, apps still usually start non-elevated unless you explicitly choose Run as administrator.
• An installer can choose to launch a child process elevated, but mainstream installers generally avoid running the main app elevated by default.

If you want to verify:

• Use Task Manager (Details tab) and add the Elevated column, or use Process Explorer, then see whether firefox.exe is elevated right after install.

Bottom line: Granting admin to the setup does not normally pass admin privileges to Firefox when it launches at the end.

 

[Wrecker4923]

It depends on the installer/launcher. A normal one would launch the child process in user mode, while a bad one might launch it in admin mode.

You can use Microsoft Sysinternals' "Process Explorer" (launched in admin mode) to check. The Properties -> Security tab would show the Administrators "Group" having a "Deny" flag for a non-admin app.

 

[Divine_Barakah]

Hello,

When you approve UAC for the Firefox installer, you’re elevating the installer process, not “everything it touches.”

So in normal cases, no, the checkbox to “Run Firefox after installation” does not make Firefox run as admin.

Here’s why:

• UAC elevation is a separate security token that belongs to the elevated installer.
• Applications do not automatically “inherit admin” just because an elevated process launched them.
• Most reputable installers intentionally launch the installed app as the logged-in user (non-elevated) at the end, even if the installer itself is elevated.

A couple of nuances:

• If you’re logged into an admin account, apps still usually start non-elevated unless you explicitly choose Run as administrator.
• An installer can choose to launch a child process elevated, but mainstream installers generally avoid running the main app elevated by default.

If you want to verify:

• Use Task Manager (Details tab) and add the Elevated column, or use Process Explorer, then see whether firefox.exe is elevated right after install.

Bottom line: Granting admin to the setup does not normally pass admin privileges to Firefox when it launches at the end.

It depends on the installer/launcher. A normal one would launch the child process in user mode, while a bad one might launch it in admin mode.

You can use Microsoft Sysinternals' "Process Explorer" (launched in admin mode) to check. The Properties -> Security tab would show the Administrators "Group" having a "Deny" flag for a non-admin app.

Gemini disagrees

Why this happens: Process Inheritance
When a program starts another program, it uses a function called CreateProcess. By default, the new process (the "child") inherits the access token of the program that started it (the "parent").
The Installer: Runs with elevated privileges (High Integrity Level) to write files to C:\Program Files.
The Browser: When the installer triggers the "Finish" action, it spawns firefox.exe.
The Result: Firefox starts with High Integrity Level because its "parent" was elevated.

 

[Bot]

You’re basically right that it depends on what the installer does, but there’s one important nuance:

An elevated installer launching a child process “normally” inherits elevation if it uses a straightforward process launch (e.g., CreateProcess). In other words, the default behavior is often:

• Elevated parent → elevated child

So for a “good/typical” installer that offers “Run app after install,” it usually has to do extra work to start the app non-elevated (for example, launching via the unelevated Explorer shell, using a helper process, scheduled task trickery, etc.). Many reputable installers do exactly that because running the app elevated (especially a browser) is a bad security practice.

About Process Explorer and the “Deny” flag
Process Explorer’s Properties → Security (token view) can indeed show the Administrators SID marked as Deny only when the process is running with a filtered (non-elevated) token under an admin account. That’s a token attribute, not “the Administrators group is denied by file permissions/ACLs.”

To verify elevation cleanly in practice, use one of these:

• Task Manager → Details → add the Elevated column (quickest).
• Process Explorer: check the process and look for Integrity level (Medium vs High) and whether it’s elevated.

Bottom line: An elevated installer can end up launching the app elevated, but reputable installers commonly take steps to launch the app unelevated after install. Checking the process token/elevation status (as you described) is the right way to confirm.

 

[Divine_Barakah]

You’re basically right that it depends on what the installer does, but there’s one important nuance:

An elevated installer launching a child process “normally” inherits elevation if it uses a straightforward process launch (e.g., CreateProcess). In other words, the default behavior is often:

• Elevated parent → elevated child

So for a “good/typical” installer that offers “Run app after install,” it usually has to do extra work to start the app non-elevated (for example, launching via the unelevated Explorer shell, using a helper process, scheduled task trickery, etc.). Many reputable installers do exactly that because running the app elevated (especially a browser) is a bad security practice.

About Process Explorer and the “Deny” flag
Process Explorer’s Properties → Security (token view) can indeed show the Administrators SID marked as Deny only when the process is running with a filtered (non-elevated) token under an admin account. That’s a token attribute, not “the Administrators group is denied by file permissions/ACLs.”

To verify elevation cleanly in practice, use one of these:

• Task Manager → Details → add the Elevated column (quickest).
• Process Explorer: check the process and look for Integrity level (Medium vs High) and whether it’s elevated.

Bottom line: An elevated installer can end up launching the app elevated, but reputable installers commonly take steps to launch the app unelevated after install. Checking the process token/elevation status (as you described) is the right way to confirm.

So it would be wise to uncheck "run app after installation" and manually run the app

 

[Bot]

So it would be wise to uncheck "run app after installation" and manually run the app

Yes—if your goal is to be absolutely sure the app does not start elevated, it’s a sensible habit to uncheck “Run app after installation” and then start it yourself after the installer exits.

Why this can be wise

• If the installer is running elevated and it launches the program directly, the program can end up elevated (depending on how it’s launched).
• Starting the app yourself from the Start menu/desktop normally launches it non-elevated (medium integrity) unless you explicitly choose Run as administrator or the shortcut is configured to always run elevated.
• For high-risk apps like browsers, avoiding an accidental elevated first launch is a good security practice.

Best practice workflow

• Uncheck “Run app after installation.”
• Finish the install and close the installer.
• Launch the app normally from Start menu.
• Optional: confirm in Task Manager (Details) with the Elevated column or in Process Explorer (Integrity level should be Medium, not High).

Bottom line: Unchecking that box and launching manually is a low-effort way to eliminate the “did it start elevated?” uncertainty, especially for browsers and other internet-facing apps.

 

[Wrecker4923]

Gemini disagrees

If you check answers from different AIs, they will give you different responses. The ultimate question is what API/process the installer uses to launch the child process.

Try installing Bitwarden (which requires admin mode), but the launched client at the end runs in non-admin mode.

 

[Divine_Barakah]

If you check answers from different AIs, they will give you different responses. The ultimate question is what API/process the installer uses to launch the child process.

Try installing Bitwarden (which requires admin mode), but the launched client at the end runs in non-admin mode.

So it depends on the installer?

Another thing i noticed in Ashampoo Uninstaller, when you lanuch a setup file from with Ashampoo to monitor its installation the setup file automatically gets granted Admin privileges whether needed or not.